NSSF IT DEPARTMENT MAGAZINE-Q1-2020



Q1:FY2020-2021

INFORMATION SECURITY
AWARENESS

WHAT IS SOCIAL ENGINEERING?
Social Engineering is the art of psychologically
manipulating unsuspecting users to lure them into
revealing sensitive information. The types of
information in question may vary, but when targeted,
a perpetrator is usually trying to trick you into giving
up your passwords or bank information to secretly
install malicious software that will give them access to
your passwords and bank information as well as giving
them control over your computer.



Q1:FY2020-2021

HOW DOES SOCIAL
ENGINEERING WORK?

WHAT IS
INSIDE
HOW DOES SOCIAL
ENGINEERING WORK?
WHAT DOES A SOCIAL
ENGINEERING ATTACK
LOOK LIKE?
DON’T BECOME A
VICTIM!

Unlike a virus that depends on hacking
techniques or malicious code to deliver
its payload, social engineering depends
on human psychology. Cyber-attackers
tend to use social engineering tactics
because it is usually easier to exploit
your natural inclination to trust than it
is to discover ways to hack your
system. Rather than spending months
working on a new malware strain,
attackers instead focus attention on
tricking users to divulge their password
over the phone or through email.
Social engineering attacks center
around
the
attacker’s
use
of
persuasion and confidence. When
exposed to these tactics, you are more
likely to take actions you otherwise
wouldn’t. Among most attacks, you’ll
find
yourself
being
misled
into
heightened emotions (fear, excitement,
curiosity, guilt etc.), urgency or trust.



WHAT DOES A SOCIAL ENGINEERING
ATTACK LOOK LIKE?
Social Engineering threat landscape is constantly changing, but
some of the most common attacks include:
Phishing: - scams comprise email and text message campaigns
aimed at creating a sense of urgency, curiosity or fear in victims
and usually vary with current events, disasters, or tax season.
Pretexting: - use of an interesting pretext — or ploy — to
capture someone’s attention. Once the story hooks the person,
the fraudster tries to trick the would-be victim into providing
something of value.
Malware: - victims are tricked into believing that malware is
installed on their computer and that if they pay, the malware will
be removed.
Quid pro quo: - scam relies on an exchange of information or
service to convince the victim to. Cyber-attackers make the
victim believe it’s a fair exchange, but that’s far from the case, as
the cheat always comes out on top.



WHAT DOES A SOCIAL ENGINEERING
ATTACK LOOK LIKE? -CONTD
Baiting: - similar to phishing attacks, however employs an
online and physical social engineering attack that promises
the victim a reward to entice them into taking an action.
Scareware: - focuses on emotions, and more specifically,
fear. This type of attack usually manifests itself as malicious
software that tricks users into purchasing fake antivirus
protection and other potentially dangerous software.



DON’T BECOME A VICTIM!
Slow down: - If the message conveys a sense of urgency or
uses high-pressure sales tactics be sceptical; never let their
urgency influence your careful review. If you stop to think about
the ask and whether it makes sense or seems a bit fishy, you
may be more likely to act in your own best interest — not the
scammer’s.
Research the facts: - Be suspicious of any unsolicited
messages. If the email looks like it is from a company you use,
do your own research. Use a search engine to go to the real
company’s site, or a phone directory to find their phone
number. Don’t click on links or open attachments from
suspicious sources — and in this day and age, you may want to
consider all sources suspicious. If you don’t know the sender
personally AND expect a file from them, downloading anything
is a mistake.
Don’t let a link be in control of where you land: - Stay in
control by finding the website yourself using a search engine to
be sure you land where you intend to land. Hovering over links
in email will show the actual URL at the bottom, but a good fake
can still steer you wrong.
Foreign offers are fake: - If you receive an email from a
foreign lottery or sweepstakes, money from an unknown
relative, or requests to transfer funds from a foreign country
for a share of the money it is guaranteed to be a scam.



DON’T BECOME A VICTIM! -CONTD
Use Multi-Factor Authentication: - Online accounts are
much safer when using more than just a password to protect
them. Multi-factor authentication adds extra layers to verify
your identity on login. These “factors” can include biometrics
like fingerprint or facial recognition, or temporary passcodes
sent via e-mail or text message.
Don’t open emails and attachments from suspicious
sources: - If you don’t know the sender in question, you don’t
need to answer an email. Even if you do know them and are
suspicious about their message, cross-check and confirm the
news from other sources, such as via telephone or directly from
a service provider’s site. Remember that email addresses are
spoofed all of the time; even an email purportedly coming from
a trusted source may have actually been initiated by an
attacker.
Be wary of tempting offers: - If an offer sounds too enticing,
think twice before accepting it as fact. Googling the topic can
help you quickly determine whether you’re dealing with a
legitimate offer or a trap.



DON’T BECOME A VICTIM! -CONTD
Use strong passwords (and a password manager): - Each of
your passwords should be unique and complex, opt for longer
passwords when possible. Aim to use diverse character types,
including uppercase, numbers, and symbols. To help you
manage all your custom passwords, you might want to use a
password manager to safely store and remember them.
Your email software can help you: - Most email clients can
help filter out junk mail, including scams. If you think yours isn’t
doing enough, do a quick online search to find out how to
change its settings. The goal is to set your spam filters on high
to weed out as much junk mail as possible.


Fleepit Digital © 2020